vga: fixes for virtio-gpu and cirrus.

-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJYdgfYAAoJEEy22O7T6HE4tDYQAM4Pte9qCTi8yf1f9oOPnM5L
 9R86SPNwV42b162s+v1l3bZ1mebReJHcRmYWN53Mbv/M4jhuuGN678gGa0ok3cN/
 Jo0J8DdpycjbqM07bF/YOa001mjxX9eRw2hJhIkxAG1Dd64DSRslqPz5PDUz9/1z
 dvxHovDC/jL3YfNKXqihLogWzIAlw458Z5f7EHIlKURjaNQ+fi5ZKyzNl4PTzkAm
 DkN3CSiXg0DR6++50ds9HrTeXyhCkByU6dEqffmN2VofPnhSnNmem3p1SQum88XY
 7WYi2WHUWuncFw+4zzOvMU+8WD52Y6xe2Y5a/VBmK/hUqrHb+1V7Q3Ck+6PTIBlx
 pY/KZUrKr3M4rY1Ik0SiJSRx8Ub50oMJdQ2pCsWhHjNJXECCGgUWt/d1oWMyug1y
 3sONKCq9BggSISvX1QN48lXKSdObd5B8aWmSxxsaR42eUok2Bv2OV4LQIUQ4vtFx
 mxe31H6YNt4/zgX/BOhs85+VLFLXvjrc9u1fS5PFIS+CyToepn/4G9T85AsQ3RsB
 9HE0Mue00x8EhcrBh7YVjq98LGnkvPpabHV02DaJTG47koWli7ApxHz1PNCym2hM
 vaowH2pltoR4bb/2tEcokF6P/kV/DlxgjRAFrxDHjKKJX24vTPDNDxMhWXgC4wE1
 3OdKARbysrrXqVtWW8eq
 =W7M/
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20170111-1' into staging

vga: fixes for virtio-gpu and cirrus.

# gpg: Signature made Wed 11 Jan 2017 10:24:24 GMT
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/pull-vga-20170111-1:
  virtio-gpu: tag as not hotpluggable
  virtio-gpu: Fix memory leak in virtio_gpu_load()
  virtio-gpu: Recalculate VirtIOGPU::hostmem on VM load
  display: cirrus: ignore source pitch value as needed in blit_is_unsafe
  virtio-gpu: fix information leak in capset get dispatch

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/display/cirrus_vga.c

@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
     return false;
 }
 
-static bool blit_is_unsafe(struct CirrusVGAState *s)
+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
 {
     /* should be the case, see cirrus_bitblt_start */
     assert(s->cirrus_blt_width > 0);
@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
                               s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
         return true;
     }
+    if (dst_only) {
+        return false;
+    }
     if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
                               s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
         return true;
@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
 
     dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
 
-    if (blit_is_unsafe(s))
+    if (blit_is_unsafe(s, false))
         return 0;
 
     (*s->cirrus_rop) (s, dst, src,
@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
 {
     cirrus_fill_t rop_func;
 
-    if (blit_is_unsafe(s)) {
+    if (blit_is_unsafe(s, true)) {
         return 0;
     }
     rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
 
 static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
 {
-    if (blit_is_unsafe(s))
+    if (blit_is_unsafe(s, false))
         return 0;
 
     return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,

hw/display/virtio-gpu-3d.c

@@ -379,7 +379,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
         return;
     }
 
-    resp = g_malloc(sizeof(*resp) + max_size);
+    resp = g_malloc0(sizeof(*resp) + max_size);
     resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
     virgl_renderer_fill_caps(gc.capset_id,
                              gc.capset_version,

hw/display/virtio-gpu.c

@@ -1038,6 +1038,8 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size)
     uint32_t resource_id, pformat;
     int i;
 
+    g->hostmem = 0;
+
     resource_id = qemu_get_be32(f);
     while (resource_id != 0) {
         res = g_new0(struct virtio_gpu_simple_resource, 1);
@@ -1050,15 +1052,19 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size)
         /* allocate */
         pformat = get_pixman_format(res->format);
         if (!pformat) {
+            g_free(res);
             return -EINVAL;
         }
         res->image = pixman_image_create_bits(pformat,
                                               res->width, res->height,
                                               NULL, 0);
         if (!res->image) {
+            g_free(res);
             return -EINVAL;
         }
 
+        res->hostmem = PIXMAN_FORMAT_BPP(pformat) * res->width * res->height;
+
         res->addrs = g_new(uint64_t, res->iov_cnt);
         res->iov = g_new(struct iovec, res->iov_cnt);
 
@@ -1076,11 +1082,22 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size)
             res->iov[i].iov_base =
                 cpu_physical_memory_map(res->addrs[i], &len, 1);
             if (!res->iov[i].iov_base || len != res->iov[i].iov_len) {
+                /* Clean up the half-a-mapping we just created... */
+                if (res->iov[i].iov_base) {
+                    cpu_physical_memory_unmap(res->iov[i].iov_base,
+                                              len, 0, 0);
+                }
+                /* ...and the mappings for previous loop iterations */
+                res->iov_cnt = i;
+                virtio_gpu_cleanup_mapping(res);
+                pixman_image_unref(res->image);
+                g_free(res);
                 return -EINVAL;
             }
         }
 
         QTAILQ_INSERT_HEAD(&g->reslist, res, next);
+        g->hostmem += res->hostmem;
 
         resource_id = qemu_get_be32(f);
     }
@@ -1282,6 +1299,7 @@ static void virtio_gpu_class_init(ObjectClass *klass, void *data)
 
     dc->props = virtio_gpu_properties;
     dc->vmsd = &vmstate_virtio_gpu;
+    dc->hotpluggable = false;
 }
 
 static const TypeInfo virtio_gpu_info = {